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Home Location Register (HLR) 
Signaling System #7 (SS7) 
Mobile Switching Center (MSC) 
Mobile Subscriber Integrated Services 



m 



Network (MSISDN) 



nternational Mobile Subscriber Identity 
(IMSI) 

Numbering Plan Area (Area Code) (NPA) 

NXX (Telephone Exchange) 



oose that Laid the Golden 







What can't you do with SS7 access? 



What can you do without it 

■ Location information 

■ Identity information 



■ Provider specific attacks 



Uncovered HLR services in the EU 

■ SMS services offering HLR queries 



Services accessible via Web API 



Affects 



CDMA (not discussed in Tobias' talk) 



cent? 



HLR information on a per-subscriber basis 

■ What origin provider? 
~ What origin country? 



Marketing "augmentation 




Provider (MNC) 

Maintain stealth during provider specific 
attacks 

Allows the attacker to know what network a 
target is using for "IMSI catching" 



Country (MCC) 

" Allows us to know whether a target is roaming 
Tells us where the target is from 



Unique serial number for a SIM card 

Should never be exposed to someone 
outside the the network 

Sent rarely as possible 

is sent instead (Temporary 



Knowing the 
interception 



allows tracking and 



MSC values equate to a physical location 

With varying granularity 

Switching center may span multiple cities 

May only exist in one part of a city 

However, MSC values for the USA must 
be reverse engineered 

...and they can be 




NANPA is our Friend 

NPANXX database describes...? 

■ Area Codes 

■ Exchanges 

■ What state 

■ What rate center (essentially, the city) 

■ What company has been allocated that 
NPANXX 




mysql> SELECT * FROM npanxx.lookup WHERE ratecenter LIKE 'XdenverZ' AND company LIKE 'SnobileE'; 



npa 



ocn 



company 



ratecenter I effect ivedate I npanxx_use I assigndate 



I 22383 I 

I 22920 I 

I 23084 I 

I 23125 I 

I 23228 I 

I 23228 I 

I 23230 I 

I 2343G I 

I 23482 I 

I 23521 I 

I 24053 I 

I 2405G I 

I 24087 I 

I 24074 I 

I 24096 I 

I 24115 I 

I 24131 I 

I 24153 I 

I 24168 I 

I 24178 I 

I 24203 I 

I 24207 I 

I 24213 I 

I 24312 I 

I 24378 I 

I 24378 I 

I 24380 I 

I 24381 I 

I 24382 I 

I 24383 I 

I 24384 I 



605 
303 
303 
303 
303 
303 
303 
303 
303 
303 
720 



720 
720 



720 



720 
720 



332 
359 
523 



03^3 



720 
720 



I 667 I 

I 668 I 

I 669 I 

I 875 I 

I 831 I 

I 860 I 

I 217 I 

I 220 I 

I 231 I 

I 238 I 

I 261 I 

I 280 I 

I 299 I 

I 323 I 

I 341 I 

I 352 I 

I 394 I 

I 401 I 

I 421 I 

I 771 I 

I 933 I 

I 834 I 

I 835 I 

I 936 I 

I 937 I 

I 938 I 



I D3^3 

I 6529 

I 6529 

I 6529 

I 6529 

I 6529 

I 6529 

I 6529 



03^3 



6529 
6529 
6529 
6529 



03^3 

6529 



6529 
6529 
6529 
6529 



D3£3 



03^3 



I D3^3 

I 6529 

I 6529 

I 6529 



T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC + I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 

T-MOBILE USA, INC. I DENVER 
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31 rows in set (0.11 sec) 
mysql> 



— 



Query the HLR APIs for MSC data for each 
subscriber 

Pick logical times when most people are 
not mobile 

~ Early morning 
Afternoon 
Late evening 

Correlate the resulting data 



Enhance the location information by 
creating bounding boxes 




How? Define who a subscriber is 
Okay... so how? 




Not a public resource, but not a private 
one, either. 



CNAM service is all you need 



ine enhanced with CNAM 



We need to? 

Caller ID spoofing and time is al 
need. 

Fractions of a cent. 

Line receiving the call simply logs the 
CNAM record and drops the call. 

Answering the line isn't necessary. 



r 




mysql> SELECT * FROM cnam_ lookup WHERE c 
cnam LIKE '£trac£' OR cnam LIKE "Kshell 
araaonr OR cnam LIKE '2moore£h£'; 



nam LIKE 'XembT OR cnam LIKE 
V OR cnam LIKE 'SJwitsSJ' OR c 



'KgovtK' OR 
am LIKE '£p 



+ + + + + 



date 



cnam 



+ + + + + 

I 1234 I 2010-04-19 03; 18: 02 I 617 I MOORE RICHARD I 

I 1410 I 2010-04-19 13:16:28 I 303 I MOORE JOHN I 

I 2315 I 2010-04-19 17:00:38 I 407 I SATELLITE TRACK I 

I 2363 I 2010-04-19 17:05:26 I 407 I SATELLITE TRACK I 

I 2413 I 2010-04-19 17:10:00 I 407 I SATELLITE TRACK I 

I 2435 I 2010-04-19 17:11:48 I 407 I SATELLITE TRACK I 

I 2461 I 2010-04-19 17:13:57 I 407 I SATELITE TRACK I I 

I 2463 I 2010-04-19 17:14:08 I 407 I SATELLITE TRACK I 

I 2571 I 2010-04-19 18:48:47 I 202 I EMBASSY OF UKRA I 

I 3837 I 2010-04-19 23:52:46 I 713 I SHELL COMPANIES I 

I 3833 I 2010-04-19 23:52:52 I 713 I SHELL COMPANIES I 

I 3889 I 2010-04-19 23:52:58 I 713 I SHELL COMPANIES I 

I 3891 I 2010-04-19 23:53:11 I 713 I SHELL COMPANIES I 

I 4137 I 2010-04-20 00:18:48 I 713 I US GOVT FBI I 

I 4203 I 2010-04-20 00:19:33 I 713 I US GOVT FBI I 



4490 
4492 
4501 



617 1 


MOORE RICHARD 


303 1 


M00REJ0HN 


407 1 


SATELLITE TRACK 


407 1 


SATELLITE TRACK 


407 1 


SATELLITE TRACK 


407 1 


SATELLITE TRACK 


407 1 


SATELITE TRACK I 


407 1 


SATELLITE TRACK 


202 1 


EMBASSY OF UKRA 


713 1 


SHELL COMPANIES 


713 1 


SHELL COMPANIES 


713 1 


SHELL COMPANIES 


713 1 


SHELL COMPANIES 


713 1 


US GOVT F B I 


713 1 


US GOVT F B I 


202 1 


WITS3 


202 1 


WITS 2001 


202 1 


PARAGON SYSTEMS 


202 1 


WITS 2001 


512 1 


MOOREH 



20 rows in set (0 + 01 sec) 
mysql> | 




the NPANXX records by region and 
company 

Build a profile of subscribers for that 
region 

Are lots of MSISDNs 'Unavailable'? 

Are they people? 

Are they businesses? 

Are they organizations? (Government/etc) 



White Pages now provides a web API 

Search by name and city/state 

Rate Center (NPANXX) + State + Caller ID 



TAVJI 



Some records wi 

Records with addresses contain geo- 
location data! 




Not only do we know who you are, but .. 

Now we can enhance our MSC map with 
geo-location data 

Creates a sort of bounding box for MSCs 

Note that this will change over time 



Enhances the ability for an attacker to 
perform IMSI catching 

If they are watching you move from MSC 
to MSC, they can make approximations of 
your location 

But, don't they have to compete with the 
actual cell towers? 

Yes. But... there's a database for that (: 




Database provides 

■ Cell tower location information 

D Latitude 
D Longitude 

What provider owns or leases that tower 
n MCC 

D MNC 






Wt 



Allows us to infer 

■ What set of potential cell towers a subscriber 

land at on a MSC transfer 

Where the cell towers are in relation to 

D The attacker 

D The potential locations for a target handset 



Results in enhanced 



Catching 



Make predictions about which cell tower you 



mil 



associate with next 



Based on travel (MSC) data changing over 



Provides the attacker with enough 
ammunition to compete with higher 
probability of success 




Where you are 

Who you are 

Where your MSC boundary lies 

What cell towers you're likely on in that 



flra 



hat subscriber you are within that eel 





Ye old Caller ID spoofing trick 

Snoop on someone's Voice Mail with ease 

Change their VM announcement to Rick 
Astley 




Knowing the provider enhances stealth 

Maximize success of attack while 
minimizing exposure 

Al lows for provider specific attacks, such 



Knowing whether the network allows certain 
types of SMS messages 

D Allows tailoring of SMS/MMS specific attacks 

Whether caller ID spoofing may lead to 
voicemail breakins 



et's talk about voice mail crawling. 

Extract phone numbers from voicemails that 
have been left 

Pull Caller ID records on those phone 
numbers 

ull location data on those phone numbers 

It's not just ASM's social network research! 

We can... 






Make relationship associations using 
tracking data 

Predict patterns of behavior in socia 
groups, not just individuals 



What if you notice behavior patterns 
change using location and VM data? 

What if suddenly 

■ A husband and wife are at different locations 
during the evening according to MSC? 

■ A co-worker is no longer in the same location 
data during the afternoon? 

■ Two executives meet at regular monthly 
intervals at some location 



Curious about what's happening? 

Leverage ASM's LOLphone (Toorcon 
2007)! 

■ Swaps Caller ID for two victims 

■ Drop two or more people into a conference 

twith the attacker (or an automated system) 
snooping the call 

■ Catalogue the resulting call 

■ Intel enhancement 

What if we connect a victim to her own 
voice mail box? 




Opportunistic espionage based on 
pattern analysis 

Information gathering on groups of 
individuals 

Ability to ascertain relationships 



Family 

Friends 

Coworkers 



Executives in Corporations 

Sabotage 





Who you are 

Who your friends/family/co-workers are 

Where you are 

Where they are 

What you're probably doing I 



m 



...and what you'll probably do next 



Li!' 



We know where you are, but where are 
your sensors and your SCADA? 



Device profiling? We can do it! 

■ Kindles 

■ Tracking Devices 
Urban Traffic Systems 
SCADA sensors 

~ Smart meters 



Coming soon to a conference near you...! 




Yes... we are working on CDMA! 




Coming soon to a conference near you! 
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mysql> SELECT id, num, cnam FROM cnam_ lookup WHERE cnam LIKE 



id 



num 



+ + + 



127 



SANDIEGOCARMEN 



1 row in set (0 + 00 sec) 
mysql> D 




OOO 



■icarmen^ 




